Most network administrators who work with
routers are familiar with creating IPSec tunnels between routers
for WAN links. However, it's also possible to create an IPSec
tunnel directly to a remote Windows 2000 or 2003 server.
While this isn't a common task for system
administrators, it does offer benefits. Let's delve into the
details of creating this type of secure connection.
Configure the server
Configuring the server for inbound and outbound
communications is relatively simple. Follow these steps:
- Log on to the server with an account that has
local administrative privileges.
- Go to Start | Run, and enter
- Right-click IP Security Policies On Local
Machine, and select Create IP Security Policy. This launches the IP
Security Policy Wizard.
- Click Next. In the IP Security Policy Name
section, name the new policy (a typical convention is to use the
name of the site to which the policy will connect), and enter the
policy's purpose in the Description text box.
- In the Request For Secure Communication
section, leave the Activate The Default Response Rule check box
selected. This ensures that the server responds to IPSec requests
with this rule when no other rule is present.
- In the Default Response Rule Authentication
section, click the bottom radio button, and enter the preshared key
that you'll enter on the router that will make this VPN connection.
This key must be exactly
identical to what you enter on the VPN router. The recommended
length is more that seven characters and/or numbers.
- Click Next, and click Finish to close the IP
Security Policy Wizard.
Add rules for the tunnel
The properties for your IPSec policy will now
appear. To begin editing the properties of the IPSec tunnel, follow
- Click Add,
and click Next to launch the Security Rule Wizard.
- In the Tunnel Endpoint section, specify the
tunnel end point IP address (the remote router's external IP
address), and click Next.
- In the Network Type section, choose Local
Area Network (LAN), and click Next. (If you're
using Windows Server 2003, skip to Step 5.)
- In the Authentication Method section, enter
the preshared key (the same key you entered before), and click
- In the IP Filter List section, select All IP
Traffic (unless you want to define the specific ports and
protocols), and click Next.
- In the Filter Action section, create a filter
action by clicking Add and choosing Next, which launches the Filter
- Name the filter (e.g., Filter-Policy Name),
and click Next.
- In the Filter Action General Options section,
select Negotiate Security, and click Next.
- In the Communicating With Computers That Do
Not Support IPSec section, leave the Do Not Communicate With
Computers That Do Not Support IPSec check box selected. (Don't
allow unsecure communication to your internal server; this could be
a spoofed connection that doesn't have the correct crypto policy.)
- In the IP Traffic Security section, select
Custom, and click Settings.
- Make sure you've selected the Data Integrity
And Encryption (ESP) check box.
- Select MD5 from the Integrity Algorithm
drop-down list, and choose DES from the Encryption Algorithm
- Choose Session Key Settings, and select the
Generate A New Key Every 3600 Seconds check box.
- Click OK, click Next, and click Finish.
- In the Filter Action section, select the
filter action you just created, and select Next. (If you're using
Windows Server 2003, enter the preshared key here, and click
- Click Finish, click OK, and click Close.
This process creates the IPSec tunnel rule.
Once you've configured the router, right-click the security policy
you created, and select Assign.
Protecting communications from an internal
server to an external network is easy using IPSec between the two
networks. It's simply a matter of properly configuring both the
router and the servers.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.